import pymysql
'''
通过用户名获取用户信息
'''
# 创建连接对象和游标对象
conn = pymysql.connect(user='root', password='root', database='advanced', charset='utf8')
cursor = conn.cursor()

# 执行sql语句
name = input('姓名:')
# name = ‘ or 1=1 or ’     sql注入问题语句
# 注意 sql注入解决占位符，不需要引号包裹
sql = f"SELECT * from student" \
      f" where stu_name = '%S'"      # 添加%S占位符
print(sql)
rows = cursor.execute(sql,[name])
if rows:
    # 获取结果集
    student = cursor.fetchall()
    print(student)
else:
    print('没有要找的学生')
# 关闭资源
cursor.close()
conn.close()